pcsafedoctor

Post Reply
Guest

pcsafedoctor

Post by Guest » Wed Apr 06, 2011 10:31 pm

I recently came across to pcsafedoctor.com
Since images speak better than words, please take a glance at the snaphots posted




Uploaded with ImageShack.us

1) pcsafedoctor claims to provide a "free antispyware scan"
2) There is nothing free of course, you cannot fix any supposed thread or error found unless you pay
3) They apparenrly provide only a 128 bit encryption
4) No EULA is displayed during setup (37 Mb size)






5) Ops
MBAM Pro real time module detects a Trojan.Agent during setup,.I hit ignore





6) A very fast scan starts: 33 "unknown" files detected (all legit XP SP3 system files and sandboxie and novirusthanks anti-rootkit free setup files)






7) I run a scan with MBAM and with HitMan Pro






Uploaded with ImageShack.us

Virustotal Report of the driver installed

http://www.virustotal.com/file-scan/report.html?id=6be8eff6c9d064fc2391d2704fc93ddf99e9b093501ca06014af02c0b510ecbb-1302126130


File name:
RKHit.sys
Submission date:
2011-04-06 21:42:10 (UTC)
Current status:
finished
Result:
5/ 41 (12.2%)


ClamAV 0.97.0.0 2011.04.06 Trojan.Rootkit-2922
Comodo 8248 2011.04.06 UnclassifiedMalware
McAfee 5.400.0.1158 2011.04.06 Generic PUP.z!dm
McAfee-GW-Edition 2010.1C 2011.04.06 Generic PUP.z!dm
NOD32 6020 2011.04.06 Win32/Adware.SpywareCease

"Whois"
http://whois.domaintools.com/pcsafedoctor.com

Domain name: pcsafedoctor.com

Administrative Contact:
Whois Privacy Protection Service, Inc.
Whois Agent ()
+1.4252740657
Fax: +1.4259744730
PMB 368, 14150 NE 20th St - F1
C/O pcsafedoctor.com
Bellevue, WA 98007
US

Name Servers:
dns1.name-services.com
dns2.name-services.com
dns3.name-services.com
dns4.name-services.com
dns5.name-services.com

Creation date: 14 May 2010 03:32:26
Expiration date: 14 May 2011 03:32:00


Would some security experts do a thorough investigation?
I'm not an expert even if I think I can recognize such kind of scam

pcsafedoctor.com

I shall comment it under "phishing or other scam" even if I think that "spyware or adware" might be another good choice

any suggestions, advices, corrections etc etc etc are welcome

Thanks










Guest

RE: pcsafedoctor

Post by Guest » Wed Apr 06, 2011 11:00 pm

Installation file PCSafeDoctor_Setup.exe has no digital signature in addition has been detected by some antiviruses as spyware
Indeed, if you have a look at the properties you will also notice "Language: Universal".
It made me smile, I have to confess:-)

leofelix™

Guest

Scam, Spyware and Adware!

Post by Guest » Wed Apr 06, 2011 11:23 pm

Issues:

  • Site's whois record is undisclosed, domain pcsafedoctor.com is registered only for one year, in this case looks suspicious.

  • No contact data (address, phone and so on), only E-Mail.

  • Installation file PCSafeDoctor_Setup.exe has no digital signature in addition has been detected by some antiviruses as spyware. //Edit: detected file RKHit.sys read the OP for clarification.


  • So, to me that's enough to rate this site due to these "Ethical issues", and also as "Spyware or adware".

    Thank to leofelix antispyware™ :-)

    User avatar
    Satchman
    Posts: 691
    Joined: Mon Dec 28, 2009 1:08 pm

    RE: pcsafedoctor

    Post by Satchman » Thu Apr 07, 2011 1:05 am

    Obviously a scam and a fraud. Rated Red.

    Shockingly, virustotal reports this site is clean!???? WTF!?

    http://www.virustotal.com/url-scan/report.html?id=a80ae24aa39190b17e06629b85042756-1301489527

    What can we do to alert them of this threatening site?

    Satch




    User avatar
    c۞g
    Posts: 10927
    Joined: Mon Jan 05, 2009 4:02 am

    BestQi.com

    Post by c۞g » Thu Apr 07, 2011 6:52 pm

    ∞ Opto, ergo sum
    _https://en.wikipedia.org/wiki/And_You_and_I


    Guest

    RE: BestQi.com

    Post by Guest » Thu Apr 07, 2011 7:10 pm

    @ g7w
    Thanks
    I had already found those threads.
    I didn't send the main post there because of the whois of the 1st website

    Domain name: pcsafedoctor.com

    Administrative Contact:
    Whois Privacy Protection Service, Inc.
    Whois Agent ()
    +1.4252740657
    Fax: +1.4259744730
    PMB 368, 14150 NE 20th St - F1
    C/O pcsafedoctor.com
    Bellevue, WA 98007
    US

    --------------

    I have also found interesting its ip address according to HPHosts

    http://hosts-file.net/?s=208.115.197.126

    Guest

    RE: pcsafedoctor

    Post by Guest » Thu Apr 07, 2011 7:11 pm

    @ satchman
    sorry for late reply.
    Virtutotal cannot scan files larger than 20 Mb size and cannot know what happens once a file is executed.
    The executable is over 37 Mb size.
    Moreover when I tested that "rogue antispyware" I disabled some real time protection modules of EMSISOFT antimalware. this might explain why that driver has not been detected immediately.

    ----------------
    By the way:
    I have found another suspicious website

    threatremove.com

    It provide apparently the same "products, less large in size though

    WhoIs looks like very interesting

    http://whois.domaintools.com/threatremove.com

    Administrative Contact:
    BestQi.com
    Luo Gang ()

    +86.13768395729
    Fax:
    Huojulu Yinda Huanyuan 5dong 2danyuan 212#
    Nanning, GUANGXI 530000
    CN

    Name Servers:
    dns1.name-services.com
    dns2.name-services.com
    dns3.name-services.com
    dns4.name-services.com
    dns5.name-services.com


    http://www.mywot.com/en/search/node/BestQi.com

    Have a look a this thread for instance
    http://www.mywot.com/en/forum/7626-free-scan-scam

    Nevertheless while the first website has not been reviewed by siteadvisor the second one was

    http://www.siteadvisor.com/sites/www.threatremove.com (Clean according to McAfee siteadvisor even if apparently they didn't check the setup file)

    which is affiliated to
    http://www.siteadvisor.com/sites/bestspywarescanner.net/summary/


    The template of the website is different


    Uploaded with ImageShack.us


    User avatar
    c۞g
    Posts: 10927
    Joined: Mon Jan 05, 2009 4:02 am

    RE: pcsafedoctor

    Post by c۞g » Tue Mar 05, 2013 4:02 am

    uninstallhelp.com
    reversenow.imebook.hop.clickbank.net


    DL via: http://reversenow.imebook.hop.clickbank.net/?gid=&yid=&aid=&tid=&qs=PerfectUninstaller.php
    ∞ Opto, ergo sum
    _https://en.wikipedia.org/wiki/And_You_and_I


    User avatar
    hotdoge3
    Posts: 866
    Joined: Sat Jan 03, 2009 9:14 pm

    RE: pcsafedoctor

    Post by hotdoge3 » Wed Mar 06, 2013 9:49 am

    http://www.prevx.com/filenames/X27257074565936976-X1/PCSAFEDOCTOR_SETUP.EXE.html
    Malicious Software

    http://systemexplorer.net/file-database/file/pcsafedoctor-exe
    "pcsafedoctor.exe" with final rating Safe and 2 variants with final rating Threat . Final ratings are based on file reviews, discovered date, users occurence and antivirus scan results.

    Post Reply

    Who is online

    Users browsing this forum: No registered users and 2 guests